Facebook on defending against firmware threats (and osquery)

Ted Reed of Facebook — aka the Teddy Reed who creates UEFI Firmware Parser and related tools — posted a VERY GOOD article on how Facebook defends systems against hardware and firmware attacks, including coverage of Facebook’s osquery tool, and his recent Usenix Enigma presentation. Excerpt of introduction (with whitespace editing by me, sorry):

Hardware and Firmware Attacks: Defending, Detecting, and Responding

The attack landscape for firmware is maturing and needs more attention from defense and detection communities. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu. Simple tools like osquery give defenders important insights about what’s happening on their network so they can quickly detect a potential compromise. Facebook released osquery as an open source project in 2014. Facebook recently added hardware monitoring to osquery, which already aids security teams in vulnerability management, incident response, OS X attacks, and IT compliance. Firmware on commodity laptops and servers is interesting to me as a security engineer for several reasons. This code often bootstraps trust protocols and protective architecture primitives. At the same time, it is a target for vulnerabilities aimed at bypassing those exact controls to unlock, jailbreak, and homebrew — for either good or malicious purposes. Firmware is also a vector for virtualization escapes, hypervisor attacks, and extreme persistence. That risk is magnified by the same fragmentation problem plaguing Android devices, but with an even more complex ecosystem of developers and supported devices. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu. Trammell Hudson’s Thunderstrike-style local system takeover is fast and effective. Drew Suarez’s demonstrations of firmware flashing of Android devices take four seconds of a distracted local user’s attention. Additionally, Computrace has used a UEFI DXE driver capable of injecting a RAT onto unencrypted NTFS partitions for several years. All of this makes firmware security critical for protecting your enterprise. This week, I shared recent work on firmware security at the Enigma 2016 Conference, hosted by USENIX. Since releasing osquery to open source in 2014, I’ve been using it to explore new ways to recognize vulnerable systems and potential compromise. Defensive security professionals should begin scoping firmware components and use simple tools like osquery to gather insight and signal from their corporate network. […]

Full post:

I’ve not used Facebook’s osquery before, so I have a lot of catching up to do. ;-(

VirusTotal now targets firmware



In related news, Teddy Reed’s UEFI Firmware Parser has been recently updated:


UEFI Firmware Parser now in Cheese Shop

The other day I noticed some Github activity for Teddy Reed’s UEFI Firmware Parser, but didn’t notice any formal new announcement. It appears I was not looking in the right place. The parser is now in the official Python Cheese Shop! And it is named “uefi_firmware”, not UEFI Firmware Parser, that explains that comment in the comment log. 🙂 It’ll be nice to have this tool more easily-available in Python. I hope the next time the UEFI Forum updates it’s UEFI port of CPython, they add this module to the UEFI port.



tool: Subzero

Teddy Reed, author of UEFI Firmware Parser, and UEFI Spider, also has a related project called Subzero. Excerpting the readme:

The project includes both a web interface and a set of importing and map/reduction scripts used for vulnerability analysis on Firmware Updates (specifically those parsed by uefi-firmware-parser.) The import of firmware is complimented with the descriptions and metadata mined from uefi-spider in JSON form. This web interface will eventually include a submission form used to detect/match unknown updates against the corpus of imported data.

* RethinkDB (python rethinkdb)
* ssdeep (pydeep)
* python-magic
* Ruby/Rails (and the associated gems)
* uefi-spider
* uefi-firmware-parser.

Firmware import: The importing process uses 4 steps, and assumes you have downloaded or crawled firmware update either from vendors or an enterprise: (1) Importing metadata about the updates; (2) Parsing and importing a hierarchy of components within a single firmware update; (3) Comparing product updates and vendor statistics; (4) Scheduling map/reductions to generate statistics on the firmware corpus. Step 2 is quite involved and uses multiple scripts specific to each vendor supported by Subzero. Since each vendor distributes their firmware uniquely, these scripts must preprocess and extract firmware components such as flash descriptors, UEFI Volumes, or other non-monolithic blobs for import. Once this data is isolated Subzero can use specifications and standards (and a lot of python) to parse each subcomponent and store the binary content and hierarchy of relations (a tree).

* WebUI display of UEFI, Flash, and other firmware formats.
* Graph-views of vendor update frequency, metadata, and firmware changes.
* Vulnerability analysis through a variety of techniques.
* Export and download of firmware components.

Supported Vendors: ASRock, Dell, Gigabyte, Intel, Lenovo, HP, MSI, VMware



tool mini-review: UEFI Firmware Parser

Here’s a short review of “UEFI Firmware Parser”, a UEFi security/diagnostic tool by Teddy ‘theopolis’ Reed.

“The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats. Features:
– UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
– Intel PCH Flash Descriptors
– Intel ME modules parsing (for ARC5)
– Dell PFS (HDR) updates parsing
– Tiano/EFI, and native LZMA (7z) [de]compression
– Complete UEFI Firmware volume object heirarchy display
– Firmware descriptor [re]generation using the parsed input volumes
– Firmware File Section injection”

This package is actually three tools, not just one:

fv_parser.py is a UEFI Firmware Parser, which searches a file for UEFI firmware volumes, there are two other tools/scripts.

uefi_guids.py is another tool, which outputs GUIDs for files, optionally write GUID structure file, and will import GUID labels into IDA.

fv_injector.py is the GUID Injector, which replaces GUIDs on sections within a UEFI firmware file, or on UEFI firmware files within a firmware filesystem.

The tools are written in Python. It requires Python development headers, GCC, and the Python pefile library. To install, use the normal:

$ sudo python ./setup.py install


$ python ./scripts/fv_parser.py -h
usage: fv_parser.py [-h] [–type {VARIOUS_TYPES}]
[-b] [-q] [-o OUTPUT] [-e] [-g GENERATE] [–test]
file [file …]
-h, –help            show this help message and exit
–type {VARIOUS_TYPES} Parse files as a specific firmware type.
-b, –brute           The input is a blob and may contain FV headers.
-q, –quiet           Do not show info.
-o OUTPUT, –output OUTPUT Dump EFI Files to this folder.
-e, –extract         Extract all files/sections/volumes.
-g GENERATE, –generate GENERATE Generate a FDF, implies extraction
–test                Test file parsing, output name/success.

$ python ./scripts/uefi_guids.py -h
usage: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file
-h, –help            show this help message and exit
-c, –capsule         The input file is a firmware capsule, do not search.
-b, –brute           The input file is a blob, search for firmware volume headers.
-d, –flash           The input file is a flash descriptor.
-g GENERATE, –generate GENERATE  Generate a behemonth-style GUID output.
-u, –unknowns        When generating also print unknowns.

$ python ./scripts/fv_injector.py -h
usage: fv_injector.py [-h] [-c] [-p] [-f] [–guid GUID] –injection INJECTION
-h, –help            show this help message and exit
-c, –capsule         The input file is a firmware capsule.
-p, –pfs             The input file is a Dell PFS.
-f, –ff              Inject payload into firmware file.
–guid GUID           GUID to replace (inject).
–injection INJECTION Pre-generated EFI file to inject.
-o OUTPUT, –output OUTPUT Name of the output file.

More Information: